With so many online accounts and websites to log into it is no wonder that a lot of us try to take some shortcuts now and then. One of these shortcuts is social login. Social login is when you’re given the option to use your Facebook credentials to log into a 3rd party website. If you’re somebody who takes advantage of social login then you need to be extra careful with you Facebook login details.
Without further ado, let us highlight a new Facebook login scam that has recently surfaced and show you how to avoid it.
As more and more of us are using our mobile to access the internet rather than our PCs, hackers are taking notice and coming up with scams to specifically target mobile users. For example on a desktop, you can see a lot more of a site’s URL than you can on mobile. This has led to hackers padding URLs so that they look like the URLs of reputable websites.
Let me explain a little about URLs before I go any further.
URLs are composed of 3 main components. I’ll use the domain from a Softonic article to highlight the point.
1. A domain (required)
Here Softonic.com is the domain. It would be the same with facebook.com or google.com
2. A subdomain (optional)
As you can see, en is the subdomain. It is the part of the Softonic.com domain where all of out English language content is found. Another common subdomain that you’ll see a lot is m to indicate mobile content (https://www.m.facebook.com/softonic.en/posts/1509863395724037).
3. A path (optional)
The path indicates the particular page on the domain that you’re on.
The most striking thing that you need to be aware of here is that the sub domain comes before the domain. This means is that hackers can create a sub domain, on their own website, that is the same of the domain of a reputable website. If they then pad the URL with hyphens, it’ll look very similar to the reputable websites domain.
If you’re looking closely you can see that m.facebook.com is only a subdomain and the actual domain is rickytalk.com. This means that if the page looks convincing and if you enter your Facebook login details when prompted you won’t be sending them to Facebook you’ll be sending them to rickytalk.com.
Now you might say that the above URL looks very suspicious and would be easy to spot but remember what we said earlier. On mobile you don’t see nearly as much of the websites URL as you would on desktop. Let us have a look at what it’d look like on a mobile browser.
That looks pretty convincing.
The thing is false URLs have been around for a while. The last time we highlighted them it was regarding a scam that promised themes for WhatsApp. As with all modern threats, however, they keep evolving so they remain dangerous.
As soon as you input your login details into a fake website it is over. You’ll likely be shown an error message but your details will have been saved. These details will allow the scammers to access your social media accounts and then use all of the personal information you’ve logged there to try and access your other accounts. With some accounts they won’t even have to put that much effort in. As we rely more and more on social login we must be as vigilant as ever and be extra careful about where we enter our social media login details.
Be aware of the website’s URL and if possible only ever enter your details if you’ve typed in the URL yourself. Scam URLs can be shared across all sharing platforms including social media, emails, messaging services and SMS and you have to be extra careful when opening links from any of those sources.
For more info on how to avoid phishing attacks check out our infographic and be sure to check out all of the links below.